Key flow authentication (#67)
* Add key flow params to provider * Update docs, add examples
This commit is contained in:
Vicente Pinto
GitHub
parent
7354808f02
commit
bc27bc20db
29 changed files with 318 additions and 27 deletions
|
|
@ -8,11 +8,96 @@ The STACKIT provider is the official Terraform provider to integrate all the res
|
|||
provider "stackit" {
|
||||
region = "eu01"
|
||||
}
|
||||
|
||||
# Authentication
|
||||
|
||||
# Token flow
|
||||
provider "stackit" {
|
||||
region = "eu01"
|
||||
service_account_token = var.service_account_token
|
||||
}
|
||||
|
||||
# Key flow
|
||||
provider "stackit" {
|
||||
region = "eu01"
|
||||
service_account_key = var.service_account_key
|
||||
private_key = var.private_key
|
||||
}
|
||||
|
||||
# Key flow (using path)
|
||||
provider "stackit" {
|
||||
region = "eu01"
|
||||
service_account_key_path = var.service_account_key_path
|
||||
private_key_path = var.private_key_path
|
||||
}
|
||||
```
|
||||
|
||||
## Authentication
|
||||
|
||||
Currently, only the *token flow* is supported. The Terraform provider will first try to find a token in the `STACKIT_SERVICE_ACCOUNT_TOKEN` env var. If not present, it will check the credentials file located in the path defined by the `STACKIT_CREDENTIALS_PATH` env var, if specified, or in `$HOME/.stackit/credentials.json` as a fallback. If the token is found, all the requests are authenticated using that token.
|
||||
To authenticate, you will need a [service account](https://docs.stackit.cloud/stackit/en/service-accounts-134415819.html). Create it in the STACKIT Portal an assign it the necessary permissions, e.g. `project.owner`. There are multiple ways to authenticate:
|
||||
|
||||
- Key flow (recommended)
|
||||
- Token flow
|
||||
|
||||
When setting up authentication, the provider will always try to use the key flow first and search for credentials in several locations, following a specific order:
|
||||
|
||||
1. Explicit configuration, e.g. by seting the fiel `stackit_service_account_key_path` in the provider block (see example below)
|
||||
2. Environment variable, e.g. by setting `STACKIT_SERVICE_ACCOUNT_KEY_PATH`
|
||||
3. Credentials file
|
||||
|
||||
The SDK will check the credentials file located in the path defined by the `STACKIT_CREDENTIALS_PATH` env var, if specified,
|
||||
or in `$HOME/.stackit/credentials.json` as a fallback.
|
||||
The credentials should be set using the same name as the environmnet variables. Example:
|
||||
|
||||
```json
|
||||
{
|
||||
"STACKIT_SERVICE_ACCOUNT_TOKEN": "foo_token",
|
||||
"STACKIT_SERVICE_ACCOUNT_KEY_PATH": "path/to/sa_key.json",
|
||||
"STACKIT_PRIVATE_KEY_PATH": "path/to/private_key.pem"
|
||||
}
|
||||
```
|
||||
|
||||
### Key flow
|
||||
|
||||
To use the key flow, you need to have a service account key and an RSA key-pair.
|
||||
To configure it, follow this steps:
|
||||
|
||||
The following instructions assume that you have created a service account and assigned it the necessary permissions, e.g. project.owner.
|
||||
|
||||
1. In the Portal, go to `Service Account -> Service Account Keys` and create a key.
|
||||
- You can create your own RSA key-pair or have the Portal generate one for you.
|
||||
2. Save the content of the service account key and the corresponding private key by copying them or saving them in a file. The expected format of the service account key is the following:
|
||||
```json
|
||||
{
|
||||
"id": "uuid",
|
||||
"publicKey": "public key",
|
||||
"createdAt": "2023-08-24T14:15:22Z",
|
||||
"validUntil": "2023-08-24T14:15:22Z",
|
||||
"keyType": "USER_MANAGED",
|
||||
"keyOrigin": "USER_PROVIDED",
|
||||
"keyAlgorithm": "RSA_2048",
|
||||
"active": true,
|
||||
"credentials": {
|
||||
"kid": "string",
|
||||
"iss": "my-sa@sa.stackit.cloud",
|
||||
"sub": "uuid",
|
||||
"aud": "string",
|
||||
(optional) "privateKey": "private key when generated by the SA service"
|
||||
}
|
||||
}
|
||||
```
|
||||
3. Configure the service account key and private key for authentication in the SDK:
|
||||
- setting the fiels in the provider block: `service_account_key` or `service_account_key_path`, `private_key` or `private_key_path`
|
||||
- setting environment variables: `STACKIT_SERVICE_ACCOUNT_KEY_PATH` and `STACKIT_PRIVATE_KEY_PATH`
|
||||
- setting them in the credentials file (see above)
|
||||
|
||||
### Token flow
|
||||
|
||||
Using this flow is less secure since the token is long-lived. You can provide the token in several ways:
|
||||
|
||||
1. Setting the field `service_account_token` in the provider
|
||||
2. Setting the environment variable `STACKIT_SERVICE_ACCOUNT_TOKEN`
|
||||
3. Setting it in the credentials file (see above)
|
||||
|
||||
<!-- schema generated by tfplugindocs -->
|
||||
## Schema
|
||||
|
|
@ -22,15 +107,22 @@ Currently, only the *token flow* is supported. The Terraform provider will first
|
|||
- `argus_custom_endpoint` (String) Custom endpoint for the Argus service
|
||||
- `credentials_path` (String) Path of JSON from where the credentials are read. Takes precedence over the env var `STACKIT_CREDENTIALS_PATH`. Default value is `~/.stackit/credentials.json`.
|
||||
- `dns_custom_endpoint` (String) Custom endpoint for the DNS service
|
||||
- `jwks_custom_endpoint` (String) Custom endpoint for the jwks API, which is used to get the json web key sets (jwks) to validate tokens when using the key flow
|
||||
- `logme_custom_endpoint` (String) Custom endpoint for the LogMe service
|
||||
- `mariadb_custom_endpoint` (String) Custom endpoint for the MariaDB service
|
||||
- `objectstorage_custom_endpoint` (String) Custom endpoint for the Object Storage service
|
||||
- `opensearch_custom_endpoint` (String) Custom endpoint for the OpenSearch service
|
||||
- `postgresflex_custom_endpoint` (String) Custom endpoint for the PostgresFlex service
|
||||
- `postgresql_custom_endpoint` (String) Custom endpoint for the PostgreSQL service
|
||||
- `private_key` (String) Private RSA key used for authentication. If set alongside the service account key, the key flow will be used to authenticate all operations.
|
||||
- `private_key_path` (String) Path for the private RSA key used for authentication. If set alongside the service account key, the key flow will be used to authenticate all operations.
|
||||
- `rabbitmq_custom_endpoint` (String) Custom endpoint for the RabbitMQ service
|
||||
- `redis_custom_endpoint` (String)
|
||||
- `region` (String) Region will be used as the default location for regional services. Not all services require a region, some are global
|
||||
- `resourcemanager_custom_endpoint` (String) Custom endpoint for the Resource Manager service
|
||||
- `service_account_email` (String) Service account email. It can also be set using the environment variable STACKIT_SERVICE_ACCOUNT_EMAIL
|
||||
- `service_account_key` (String) Service account key used for authentication. If set alongside private key, the key flow will be used to authenticate all operations.
|
||||
- `service_account_key_path` (String) Path for the service account key used for authentication. If set alongside the private key, the key flow will be used to authenticate all operations.
|
||||
- `service_account_token` (String) Token used for authentication. If set, the token flow will be used to authenticate all operations.
|
||||
- `ske_custom_endpoint` (String) Custom endpoint for the Kubernetes Engine (SKE) service
|
||||
- `token_custom_endpoint` (String) Custom endpoint for the token API, which is used to request access tokens when using the key flow
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue